This week in malware, Sonatype's automated malware detection systems have flagged over four dozen packages on both the npm and PyPI registries. Most of these packages are dependency confusion candidates published as proof-of-concept (PoC) exercises by security enthusiasts and bug bounty hunters.
This week, Sonatype's automated malware detection system, offered as a part of Sonatype Repository Firewall flagged the following packages on npm and PyPI registries:
@anemone95/evil
@carb-manager/cm-shared-js
@icloud-edu/silver-bullet
alchemix-v2-ui
appdirect-universal-search
brbsainath
ca-certificates
cm-shared-js
conflicting_modules
customer-satisfaction-survey
dataclasses-python-version
deskpro-notifications-service
dl-pp-latm
dotencode
epic-ue-marketo
epic-ue-search
epic-unreal-engine
eslint-config-i18n-scan
fncache
generaldelta
geodesic
ing-lib-payments-utilities
instantsearch-electron
integration_reddit
intergalactic-documentation
internallib_v100
internallib_v539
logpeck
mdcs-xms-core-lib
merchant-status-timeline
metaflow-ui
metamask-docs-next
my-little-snippet
nlu-devops-common
old_engine
optly-components
page-a
paypalme-components
pexels-figma
ppme-settings
ptokens-erc20-vault-smart-contract
react-native-aes-crypto-forked
react-native-animated-fox
sckit-learn
test-hach
theblock-ssr-nuxt
useevil
wc-skroutz-analytics
The discovery follows our last week's report listing 120+ packages we'd identified that comprise malware and/or dependency confusion packages.
As a DevSecOps organization, we remain committed to identifying and halting threats to open source developers and the wider software supply chain.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Sonatype Repository Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start.
Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.